A Cybercrime Powerhouse Emerges: Scattered Spider, LAPSUS$, and ShinyHunters Unite!
Imagine a world where the most notorious cybercrime groups decide to join forces. That's precisely what's happening with the formation of Scattered LAPSUS$ Hunters (SLH), a collective born from the union of Scattered Spider, LAPSUS$, and ShinyHunters. This isn't just a merger; it's a strategic alliance that's reshaping the cybercrime landscape.
This new group wasted no time in making its presence known, creating no less than 16 Telegram channels since August 8, 2025. But here's where it gets controversial: these channels are constantly being taken down and recreated, a testament to the group's determination to maintain a public presence despite platform moderation. Trustwave SpiderLabs, a LevelBlue company, highlighted this in their report, emphasizing the group's resilience.
SLH quickly launched data extortion attacks, targeting organizations, including those using Salesforce. Their main offering? Extortion-as-a-Service (EaaS), allowing affiliates to leverage the group's notoriety to demand payments. This collaborative approach is a key part of their strategy.
These groups are all linked to a broader cybercriminal network known as "The Com," which is characterized by fluid collaboration and brand-sharing. They've also shown associations with other clusters like CryptoChameleon and Crimson Collective. This interconnectedness highlights the complex web of relationships within the cybercrime world.
Telegram is the central hub for SLH's activities, where members coordinate operations and promote their services. It's a clever tactic, turning their channels into a megaphone to disseminate their messaging and market their illicit offerings.
Trustwave noted that administrative posts began to include signatures referencing the 'SLH/SLSH Operations Centre,' projecting an image of organized command structure. This creates an illusion of legitimacy for their fragmented communications.
What's next?
The group is also using Telegram to accuse Chinese state actors of exploiting vulnerabilities, while simultaneously targeting U.S. and U.K. law enforcement agencies. They've even invited subscribers to participate in pressure campaigns by finding and relentlessly emailing C-suite executives for a minimum payment of $100. This is a clear example of their audacious tactics.
Meet the Players:
- Shinycorp (aka sp1d3rhunters): Coordinates and manages brand perception.
- UNC5537: Linked to the Snowflake extortion campaign.
- UNC3944: Associated with Scattered Spider.
- UNC6040: Linked to a recent Salesforce vishing campaign.
Other key players include Rey and SLSHsupport, responsible for engagement, and yuka (aka Yukari or Cvsp), a developer of exploits and an initial access broker (IAB). This reveals the diverse skill sets within the group.
Ransomware on the Horizon?
While data theft and extortion are their current focus, SLH has hinted at a custom ransomware family called Sh1nySp1d3r, suggesting potential future ransomware operations. This expansion into ransomware could signal a significant escalation in their activities.
Trustwave sees SLH as a blend of financially motivated cybercrime and attention-driven hacktivism, driven by both monetary incentives and social validation. They've mastered the art of perception and legitimacy within the cybercriminal ecosystem.
"Taken together, these behaviors illustrate an operational structure that combines social engineering, exploit development, and narrative warfare – a blend more characteristic of established underground actors than opportunistic newcomers."
A Cartelization of Cybercrime
This news comes as Acronis revealed that the threat actors behind DragonForce have unleashed a new malware variant using vulnerable drivers to disable security software. DragonForce, which launched a ransomware cartel earlier this year, has partnered with Qilin and LockBit to share techniques and resources.
"Affiliates can deploy their own malware while using DragonForce's infrastructure and operating under their own brand," Acronis researchers said. "This lowers the technical barrier and allows both established groups and new actors to run operations without building a full ransomware ecosystem."
DragonForce is aligned with Scattered Spider, with the latter breaking into targets through social engineering, followed by deploying remote access tools. DragonForce also used the Conti leaked source code, adding an encrypted configuration to remove command-line arguments.
What are your thoughts? Do you think this consolidation of cybercrime groups will lead to more sophisticated attacks? Share your opinions in the comments below!
